Selectively performing man in the middle decryption
First Claim
1. A method performed by data processing apparatus, the method comprising:
- receiving, by an agent on a device within a network, a request to access a resource outside the network;
establishing, by the agent, a first encrypted connection between the device and the agent such that the agent is configured to act as a proxy of the resource to the device;
establishing, by the agent, a second encrypted connection between the agent and the resource such that the agent is configured to act as a proxy of the device to the resource;
sending, by the agent in response to receiving the request to access the resource, a policy request to a network appliance within the network, the request specifying the resource;
receiving, by the agent and from the network appliance, a policy response indicating that the resource is associated with one or more security policies of the network;
decrypting and selectively inspecting, by the agent, encrypted communication traffic from the device and addressed to the resource, depending on the security policies;
decrypting and selectively inspecting, by the agent, encrypted communication traffic from the resource and address to the device, depending on the security policies;
receiving, by the agent, a second request to access a second resource outside the network;
determining that the second resource is on a whitelist that lists resources for which man-in-the-middle analysis should not apply; and
causing the establishment, responsive to determining that the second resource is on the whitelist, a third encrypted connection between the device and the second resource to facilitate encrypted communication traffic between the device and the second resource;
wherein the first, the second, and the third encrypted connections are separate and have different formats.
7 Assignments
0 Petitions
Accused Products
Abstract
An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies.
-
Citations
21 Claims
-
1. A method performed by data processing apparatus, the method comprising:
-
receiving, by an agent on a device within a network, a request to access a resource outside the network; establishing, by the agent, a first encrypted connection between the device and the agent such that the agent is configured to act as a proxy of the resource to the device; establishing, by the agent, a second encrypted connection between the agent and the resource such that the agent is configured to act as a proxy of the device to the resource; sending, by the agent in response to receiving the request to access the resource, a policy request to a network appliance within the network, the request specifying the resource; receiving, by the agent and from the network appliance, a policy response indicating that the resource is associated with one or more security policies of the network; decrypting and selectively inspecting, by the agent, encrypted communication traffic from the device and addressed to the resource, depending on the security policies; decrypting and selectively inspecting, by the agent, encrypted communication traffic from the resource and address to the device, depending on the security policies; receiving, by the agent, a second request to access a second resource outside the network; determining that the second resource is on a whitelist that lists resources for which man-in-the-middle analysis should not apply; and causing the establishment, responsive to determining that the second resource is on the whitelist, a third encrypted connection between the device and the second resource to facilitate encrypted communication traffic between the device and the second resource;
wherein the first, the second, and the third encrypted connections are separate and have different formats. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer storage media encoded with computer program instructions that, when executed by one or more processors, cause a computer device to perform operations comprising:
-
receiving, by an agent on a device within a network, a request to access a resource outside the network; establishing, by the agent, a first encrypted connection between the device and the agent such that the agent is configured to act as a proxy of the resource to the device; establishing, by the agent, a second encrypted connection between the agent and the resource such that the agent is configured to act as a proxy of the device to the resource; sending, by the agent in response to receiving the request to access the resource, a policy request to a network appliance within the network, the request specifying the resource; receiving, by the agent and from the network appliance, a policy response indicating that the resource is associated with one or more security policies of the network; decrypting and selectively inspecting, by the agent, encrypted communication traffic from the device and addressed to the resource, depending on the security policies; decrypting and selectively inspecting, by the agent, encrypted communication traffic from the resource and address to the device, depending on the security policies; receiving, by the agent, a second request to access a second resource outside the network; determining that the second resource is on a whitelist that lists resources for which man-in-the-middle analysis should not apply; and causing the establishment, responsive to determining that the second resource is on the whitelist, a third encrypted connection between the device and the second resource to facilitate encrypted communication traffic between the device and the second resource;
wherein the first, the second, and the third encrypted connections are separate and have different formats. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
one or more processors configured to execute computer program instructions; and non-transitory computer storage media encoded with computer program instructions that, when executed by one or more processors, cause a computer device to perform operations comprising; receiving, by an agent on a device within a network, a request to access a resource outside the network; establishing, by the agent, a first encrypted connection between the device and the agent such that the agent is configured to act as a proxy of the resource to the device; establishing, by the agent, a second encrypted connection between the agent and the resource such that the agent is configured to act as a proxy of the device to the resource; sending, by the agent in response to receiving the request to access the resource, a policy request to a network appliance within the network, the request specifying the resource; receiving, by the agent and from the network appliance, a policy response indicating that the resource is associated with one or more security policies of the network; decrypting and selectively inspecting, by the agent, encrypted communication traffic from the device and addressed to the resource, depending on the security policies; decrypting and selectively inspecting, by the agent, encrypted communication traffic from the resource and address to the device, depending on the security policies; receiving, by the agent, a second request to access a second resource outside the network; determining that the second resource is on a whitelist that lists resources for which man-in-the-middle analysis should not apply; and causing the establishment, responsive to determining that the second resource is on the whitelist, a third encrypted connection between the device and the second resource to facilitate encrypted communication traffic between the device and the second resource;
wherein the first, the second, and the third encrypted connections are separate and have different formats. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification